Researchers have identified a new Linux botnet called SSHStalker that relies on the outdated IRC protocol for its command-and-control operations. The botnet spreads through SSH scanning and brute-forcing, targeting cloud infrastructure. It incorporates old vulnerabilities and persistence mechanisms for broad infection.
The SSHStalker botnet, documented by threat intelligence firm Flare, operates using the Internet Relay Chat (IRC) protocol, originally developed in 1988 and popular in the 1990s for text-based messaging. This choice emphasizes simplicity, low bandwidth, and resilience through multiple C-based bots and redundant servers and channels, rather than advanced stealth techniques.
Initial infection occurs via a Go-based tool disguised as the nmap network scanner, which performs noisy SSH scans and brute-force attacks. Once inside a host, the malware uses the compromised system to scan for more targets, enabling worm-like propagation. Flare analyzed a file containing results from nearly 7,000 scans conducted in January, primarily aimed at Oracle Cloud infrastructure.
After gaining access, SSHStalker downloads the GCC compiler to build payloads directly on the victim machine, enhancing portability. It then deploys C-coded IRC bots with predefined command-and-control servers and channels to integrate the host into the network. Additional components from archives named GS and bootbou handle orchestration.
Persistence is maintained through cron jobs running every 60 seconds, acting as a watchdog to restart the main process if terminated. For privilege escalation, the botnet exploits 16 common vulnerabilities and exposures (CVEs) from Linux kernels dated 2009-2010, following initial low-privilege entry.
Monetization features include harvesting AWS keys, scanning websites, and deploying the PhoenixMiner for Ethereum cryptomining. DDoS tools are built-in but unused so far; bots typically connect to C2 servers and remain idle, indicating possible testing or resource stockpiling.
Flare notes resemblances to the Outlaw/Maxlas botnet family and Romanian-linked indicators but has not tied it to a specific group. To counter it, the firm advises monitoring for compiler activity, IRC outbound traffic, and frequent cron jobs. Defensive steps include disabling SSH password logins, removing compilers from production environments, applying egress filters, and blocking execution in /dev/shm.
